Posts filed under ‘Uncategorized’

Bank/Tech Contract Concerns Issued By FDIC IG

Written by: Lindsay Harden

The FDIC’s independent Office of Inspector General (OIG) issued a report late last week detailing a study it conducted of contracts between financial institutions and technology service providers (TSPs). The report concluded that such contracts are commonly not sufficient to address certain risks that are inherent in these relationships. Specifically, contracts with TSPs frequently lack specificity and completeness with respect to business continuity and incident response procedures and obligations.

For several years the financial regulatory agencies have shown an interest in third-party risk management, including ensuring adequate protection of private customer information. Recently, the FDIC and FFIEC have engaged in further initiatives related to cybersecurity and outsourcing of technology services. However, according to the FDIC’s Division of Risk Management Supervision, contracts with TSPs are generally out of date and do not reflect recent efforts to strengthen cybersecurity.

Based on a review of 48 contracts between financial institutions and TSPs, the OIG report made the following findings:

  • Financial institution analyses do not fully consider business continuity and incident response risks presented by TSPs
  • Key contract provisions provide limited coverage of the TSP’s business continuity planning and incident response and reporting responsibilities
  • Key contract terms lack clear and specific definition
  • The FDIC has implemented numerous initiatives to address cybersecurity risks
  • Financial institution third-party relationship risks remain and will require continued supervisory attention

In addition, the report provided some examples of necessary types of provisions that are frequently missing from contracts. For instance, only half of the contracts reviewed explicitly included business continuity provisions, and only a handful established clear performance standards and remedies for failure to meet those standards. Furthermore, many key terms used in regulatory and supervisory guidance—including “misuse of information,” “unauthorized access,” “significant disruption,” and “cyber event”—were often unused, undefined, or inadequately defined in TSP contracts.

The FDIC has plans to take certain actions by October of 2018 to follow up on the OIG’s recommendations in the report. One such action is continuing to communicate to financial institutions the importance of effective contracts with TSPs through the FDIC’s risk management supervision program, which includes guidance, examination procedures, examinations, and off-site monitoring.

The OIG report and potential FDIC action provide banks with additional leverage in negotiating TSP contracts. Affected banks should closely review existing contracts, and if your contracts are close to renewal, or if you are considering adding services under those contracts, you have an opportunity to address deficiencies.  You should review the terms of the agreement and work with counsel to identify gaps in existing or proposed agreements. Please contact us if you need assistance, as we have significant experience negotiating and drafting contracts with TSPs and assisting banks with TSP vendor diligence.

For more information, please contact Karen Garrett or Steve Cosentino, leaders of our fintech practice.

February 23, 2017 at 10:00 am

Prudent Risk Management of Oil and Gas Exposures

Written bySteven Vetter

On July 27, 2016, the Federal Deposit Insurance Corporation (“FDIC”) issued a Financial Institution Letter regarding Prudent Risk Management of Oil and Gas Exposures. The letter states that due to the complex and highly specialized nature of loans to borrowers in the oil and gas industry, banks should be adequately prepared to deal with the accompanying volatility of this industry.  Conservative underwriting, appropriate structuring, experienced and knowledgeable lending staff and sound loan administration practices were cited as prudent risk management tools to protect the bank against the inherent volatility.

To reduce the risk to FDIC supervised institutions, the letter reminds banks to spread their risk by geography, industry or borrower concentrations, whenever possible.  If a bank cannot spread its risk accordingly, it is recommended that the bank assess whether setting the capital level higher than the regulatory minimum would be prudent.

The letter encourages banks that are affected by significant downturns in commodity prices to work with the afflicted companies towards a mutually-advantageous workout plan, while maintaining effective internal controls to manage such loans.

To view the full text of the FDIC guidance, click here.

August 4, 2016 at 8:15 am

FinCen Issues FAQs on Customer Due Diligence Rule

Written by: Lindsay Harden

On Tuesday, the Financial Crimes Enforcement Network (FinCEN) issued Frequently Asked Questions regarding the new Customer Due Diligence rule.  Affected financial institutions must comply with the new rule beginning on May 11, 2018. This rule will apply to federally regulated banks and federally insured credit unions, among other financial entities, and it imposes heightened customer due diligence requirements as well as a new requirement that covered financial institutions must verify the identity of the beneficial owners of their legal entity customers.

The FAQs offer interpretive guidance that is helpful to understanding the rule. For instance, they clarify the meaning of terms like “beneficial owner” and “legal entity,” and discuss the various exceptions to the rule. In addition, they provide clarification that the rule does not cover existing accounts, and that financial institutions are generally not responsible for incorrect information provided by their customers with respect to the identities of beneficial owners. Click here to review the FAQs and prepare your institution for the Customer Due Diligence rule.


July 22, 2016 at 11:20 am

Financial Regulators Explain Their Expectations for Deposit Reconciliation

Written by: Lindsay Harden

Yesterday, the Federal Reserve Board, CFPB, FDIC, NCUA and OCC issued guidance regarding the agencies’ supervisory expectations for deposit reconciliation on consumer accounts. The agencies summarized their observations on deposit reconciliation practices, and expressed particular concern about credit discrepancies—which occur when a customer deposits more than is ultimately credited to his or her account, resulting in a benefit to the financial institution.

The Interagency Guidance discussed the types of legal and regulatory issues that could arise if a financial institution’s policies or practices do not appropriately reconcile credit discrepancies. For instance, civil liability or agency action could result from failure to comply with the Expedited Funds Availability Act and Regulation CC which implements the Act. The agencies also noted that when ineffective deposit reconciliation practices cause credit discrepancies, they could be considered unfair or deceptive acts or practices under the Federal Trade Commission Act or the Dodd-Frank Act. The agencies did acknowledge, however, that under limited circumstances, proper reconciliation may be impossible, such as when an item has been damaged beyond recognition.

To minimize the risk of financial loss and supervisory action, the agencies suggest financial institutions do the following:

  • Adopt policies and practices designed to avoid discrepancies
  • Effectively manage deposit reconciliation practices to comply with applicable laws or regulations
  • Ensure that any information provided to customers about the institution’s deposit reconciliation practices is accurate
  • Implement effective compliance management systems
  • Above all, ensure consumers are not disadvantaged or harmed by the financial institution’s deposit reconciliation policies and practices

This guidance comes after bank regulators and the CFPB took action in August 2015 against Citizens Financial Group, Inc. and its bank subsidiaries for failing to credit consumers the full amounts of their deposited funds. In its Consent Order with the CFPB, Citizens Bank agreed to pay a total of $18.5 million—$11 million to compensate customers and $7.5 million in civil money penalties. In addition to the CFPB action, the OCC and FDIC separately ordered the banks to pay $10 million and $3 million in civil penalties, respectively.

Go online to view the entire Interagency Guidance.

May 20, 2016 at 11:17 am

FinTech – Embracing the Disruption

Please join us on Wednesday, May 25 for an in-depth discussion on FinTech (Financial Technology). Stinson Leonard Street Partners, Steve Cosentino, Karen Garrett and Mark Hargrave, will discuss what FinTech is and how it will disrupt the Financial Services Industry. In this discussion we will:

  • Explore what types of businesses and services comprise the FinTech industry with a focus on the challenges that FinTech presents to incumbent financial systems and banks
  • Examine the growth of the FinTech industry and how it is likely to expand in the coming years
  • Look at how traditional financial systems and banks can embrace FinTech and turn disruptive technology into an asset

In addition there will be a discussion of some of the key regulatory challenges facing FinTech. We will cover:

  • Money transmitter issues
  • UDAAP considerations
  • Third party risk management issues

There will also be a non-technical discussion about the consumer data driving much of FinTech. We will address:

  • Security issues and risks relating to the security of customer data
  • Legal issues surrounding the ownership and use of customer data
  • How to address customer data in contracts with FinTech service providers

This program will be presented from our Kansas City office and videoconferenced to our Minneapolis, Denver and St. Louis offices. We will be hosting receptions following the presentations in each of the participating cities.

Register today for this informative seminar

We hope to see you there!



Wednesday, May 25

1:30 p.m. (MDT)
2:30 p.m. (CDT)

2 – 3:30 p.m. (MDT)
3 – 4:30 p.m. (CDT)

Cocktail reception immediately following the program.


Stinson Leonard Street

Kansas City



St. Louis


If you are unable to attend the live presentation, you may join us by webinar.

May 11, 2016 at 7:00 am

Older Posts

Enter your email address to follow this blog and receive notifications of new posts by email.

Produced & Maintained By

Stinson Leonard Street Logo


A legal resource for Banking & Financial Services


%d bloggers like this: